Comments

We've just started generating passwords and creating new login items with 1Password for Chrome. I'm pretty delighted to see the progress made thus far, but there's certainly a lot more work to go. User selectable password recipes is a feature that will be added in a future version of 1Password. Our design team has some awesome looking mockups, we just need to get the actual coding done.

@multiplatformuser: No promises yet since we are designing the new password generator from the ground up, but including at least one number is something that will help on many websites that require a number in a password.

@shopthor: You're not stupid! It's a feature that we are still perfecting (the password recipes being a good example) and therefore less discoverable. You can generate a new password by clicking the 1Password logo while in a Password field. Then select "Use Suggested Password" from the displayed inline menu. If you already have a Login item for the website your using, you may need to toggle the inline menu by clicking the 1Password logo. It should look something like so:

Yeah I never would have figured that out! How do I change the suggestion parameters? As I'm sure you know, many sites can't handle a password as long as the default! They should, but they don't. And we have to live in the world that we live in.

Hmm. I have encountered a situation where I don't have the option to set up a new password.

(1) Share some passwords with wife through common vault
(2) Wife logs into service X, doesn't do a login, so there is just a free-floating password
(3) I try to login to to service X
(4) My only option is to enter her password, which obviously I don't want. I can't generate a new password.

Bleah! If you can replicate, please put it on the list. Thanks so much!

If you click the 1Password icon to dismiss the list of logins and then click the icon again, you should see the options to save a password or use a generated password in the list. They’re a bit hidden right now while we work on better form detection, so we don’t show them automatically if you already have logins. Sorry for the confusion.

We are glad you asked too because it means others will as well. We don't want our inline menu to be too aggressive until 1Password can better evaluate a website and show you the best options to interact with that site. I truly believe you'll see this improve with time as we improve the background logic that happens.

A feature that allows for user customized character sets (down to single character granularity for symbols, not groups of symbols for example) and user defined max password generation length restrictions, on a site-by-site basis, is very important to me. For example, I believe gmail can accept up to 100 character long passwords with few if any restrictions on the special characters (symbols); however, most other sites I use limit the password length to various shorter lengths and often impose restrictions on the symbols that can be used. With dozens to hundreds of accounts a user might have, keeping track of the various site rules from a user perspective is nightmarish, to say the least, when one is trying to maximize password entropy for critical accounts (bank, mail, social security, IRA, etc.).

There is an app for iOS that allows such saved customized templates (at least for the character sets, but not the length), and it's about the only software I have found that mostly fits my use case need; however, it appears to have some randomness issues and a few other bugs that make me want to use a better alternative. To me, this would be a fantastic feature, IMHO. However, being a developer myself, I understand the types of issues you are up against regarding UI complexity and trying to satisfy the masses that have varying levels of security experience. Still, I think this is an area that would greatly benefit users with a well-thought flexible design.

A feature that allows for user customized character sets (down to single character granularity for symbols, not groups of symbols for example) and user defined max password generation length restrictions, on a site-by-site basis, is very important to me.

For example, I believe gmail can accept up to 100 character long passwords with few if any restrictions on the special characters (symbols);

Okay, can I just say, I've loved Gmail from the start. Google can get a bit weird at times, but let's just take a moment to appreciate that Gmail not only revolutionized email, but they've got really solid security and no silly password restrictions. <3

however, most other sites I use limit the password length to various shorter lengths and often impose restrictions on the symbols that can be used. With dozens to hundreds of accounts a user might have, keeping track of the various site rules from a user perspective is nightmarish, to say the least, when one is trying to maximize password entropy for critical accounts (bank, mail, social security, IRA, etc.).

Yeah, no one can keep track of per-site restrictions — including us. So our focus is on sane, secure defaults. I remember a number of big names over the years who have removed or relaxed password restrictions, so there is hope. It's getting better.

There is an app for iOS that allows such saved customized templates (at least for the character sets, but not the length), and it's about the only software I have found that mostly fits my use case need; however, it appears to have some randomness issues and a few other bugs that make me want to use a better alternative. To me, this would be a fantastic feature, IMHO. However, being a developer myself, I understand the types of issues you are up against regarding UI complexity and trying to satisfy the masses that have varying levels of security experience. Still, I think this is an area that would greatly benefit users with a well-thought flexible design.

We're in complete agreement. This sucks for users, and though it's a challenge to find a good way of doing things that gives people more flexibility without making the experience worse, that's exactly the kind of challenge we love, and we're determined to find a solution. Thank you for your feedback on this, and the encouragement.

I did find that. But I'd like my default to be longer and include symbols. And I definitely like the idea above of being able to select which symbols.

@kth_singing: We're in agreement that it would be nice to be able to exclude certain symbols, but setting the default to be longer is doesn't offer much security benefit at this point due to dishing returns: we're dealing with infeasibility with regard to brute force attacks either way. Certainly though, if you're making up passwords yourself, longer would be better. Fortunately none of that is necessary with 1Password.

I'm sorry to do this to you, but I recently wrote a fairly in-depth post which is only peripherally related, but still relevant in many ways to this discussion:

20 characters is a much better "standard", since even if you're only allowed capital and lowercase letters that's very good entropy:

(52)log2=5.7004397181 <- bits of entropy per character
5.7004397181(20) <- length of password
= 114.0087944 <- bits of entropy total

Most websites will also accept a password like that, so it's the default we're using now in 1Password X. That really future proofs things so you don't need to worry about changing all of your website passwords (unless they're compromised). Or you can use a word-based password composed of 8 words for similar effect:

You'd probably balk at a suggestion to generate 8-word passwords for websites (and, in fact, many websites wouldn't allow that because of the length anyway), but making a character-based password longer is equally unnecessary, even if it doesn't feel that way. What you get with the default alone is not only more compatible, but ludicrously strong. And flipping the switch to use symbols as well on a site which allows it will get you an even stronger password, even though it really isn't needed at that level. Cheers!

Changing the 1Password Menu > Password Generator settings doesn't change the passwords generated by 1Password in the Edit Box fields of the website - those are still way too long with random characters, which can make them unusable for various reasons (e.g. if you have to enter on a phone) - after all 20char pw with complex symbols are not warranted for a discussion forum.

@la1pass: That's interesting. Usually we get the opposite feedback: people want passwords longer than 20 characters. 20 random characters is more than sufficient though, security-wise, and compatible with most websites' policies, so that's the default we're using for now.

Anyway, this is a discussion in the 1Password X category of the forum, about 1Password X. But it sounds like you're using 1Password for Windows or 1Password for Mac. It won't apply to those. You can use the 1Password desktop extension instead if you want it to share settings with the native app:

1Password X operates on its own, solely within the browser. It has no connection to apps you use elsewhere. Its Suggested Password feature always uses the same preset. If you want to create a password with different criteria, you can open 1Password X from the toolbar icon in your browser and use the Password generator there:

I hope this helps. Be sure to let me know if you have any other questions!

Thank you for getting back - I am using 1Password X 1.12.3 for FF.
" Its [1PWX] Suggested Password feature always uses the same preset." I think that this the critical sentence - i.e. the suggested PW ignores the user settings in 1PWX Password Generator?

Its Suggested Password feature always uses the same preset. If you want to create a password with different criteria, you can open 1Password X from the toolbar icon in your browser and use the Password generator there:

The Password Generator will remember your last settings, and you can tweak it if you need to before clicking "copy" or "fill" as well.